| <!doctype html> |
| <!-- |
| Minimal Mistakes Jekyll Theme 4.4.1 by Michael Rose |
| Copyright 2017 Michael Rose - mademistakes.com | @mmistakes |
| Free for personal and commercial use under the MIT license |
| https://github.com/mmistakes/minimal-mistakes/blob/master/LICENSE.txt |
| --> |
| <html lang="cn" class="no-js"> |
| <head> |
| <meta charset="utf-8"> |
| |
| <!-- begin SEO --> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <title>使用TLS通信 - Apache ServiceComb</title> |
| |
| |
| |
| |
| <meta name="description" content="使用TLS通信"> |
| |
| |
| |
| |
| <meta name="author" content=""> |
| |
| <meta property="og:locale" content="cn"> |
| <meta property="og:site_name" content="Apache ServiceComb"> |
| <meta property="og:title" content="使用TLS通信"> |
| |
| |
| <link rel="canonical" href="https://github.com/pages/apache/incubator-servicecomb-website/cn/docs/users/use-tls/"> |
| <meta property="og:url" content="https://github.com/pages/apache/incubator-servicecomb-website/cn/docs/users/use-tls/"> |
| |
| |
| |
| <meta property="og:description" content="使用TLS通信"> |
| |
| |
| |
| <meta name="twitter:site" content="@ServiceComb"> |
| <meta name="twitter:title" content="使用TLS通信"> |
| <meta name="twitter:description" content="使用TLS通信"> |
| <meta name="twitter:url" content=""> |
| |
| |
| <meta name="twitter:card" content="summary"> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <script type="application/ld+json"> |
| { |
| "@context" : "http://schema.org", |
| "@type" : "Person", |
| "name" : "Apache ServiceComb", |
| "url" : "https://github.com/pages/apache/incubator-servicecomb-website", |
| "sameAs" : null |
| } |
| </script> |
| |
| |
| |
| <meta name="google-site-verification" content="HvJjNd7vvJ-yjSTHlBiIWEYxp_Hrz-PYEY5Idz9LRcA" /> |
| |
| |
| |
| |
| <!-- end SEO --> |
| |
| |
| <link href="/feed.xml" type="application/atom+xml" rel="alternate" title="Apache ServiceComb Feed"> |
| |
| <!-- http://t.co/dKP3o1e --> |
| <meta name="HandheldFriendly" content="True"> |
| <meta name="MobileOptimized" content="320"> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> |
| |
| <script> |
| document.documentElement.className = document.documentElement.className.replace(/\bno-js\b/g, '') + ' js '; |
| </script> |
| <script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js"></script> |
| <script src="/assets/vendor/prism/prism.js"></script> |
| |
| <script type="text/javascript" async |
| src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-MML-AM_CHTML"> |
| </script> |
| |
| <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css" integrity="sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M" crossorigin="anonymous"> |
| |
| <script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script> |
| <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.11.0/umd/popper.min.js" integrity="sha384-b/U6ypiBEHpOf/4+1nzFpr53nxSS+GLCkfwBdFNTxtclqqenISfwAzpKaMNFNmj4" crossorigin="anonymous"></script> |
| <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/js/bootstrap.min.js" integrity="sha384-h0AbiXch4ZDo7tp9hKZ4TsHbi047NrKGLO3SEJAg45jXxnGIfYzk4Si90RDIqNm1" crossorigin="anonymous"></script> |
| <!-- For all browsers --> |
| <link rel="stylesheet" href="/assets/css/main.css"> |
| <link rel="stylesheet" href="/assets/vendor/prism/prism.css"> |
| |
| <!--[if lte IE 9]> |
| <style> |
| /* old IE unsupported flexbox fixes */ |
| .greedy-nav .site-title { |
| padding-right: 3em; |
| } |
| .greedy-nav button { |
| position: absolute; |
| top: 0; |
| right: 0; |
| height: 100%; |
| } |
| </style> |
| <![endif]--> |
| |
| <meta http-equiv="cleartype" content="on"> |
| |
| <!-- start custom head snippets --> |
| |
| <!-- insert favicons. use http://realfavicongenerator.net/ --> |
| <link href="https://fonts.loli.net/css?family=Roboto:400,500,700|Source+Code+Pro" rel="stylesheet"> |
| <script src="/assets/js/custom.js"></script> |
| <!-- end custom head snippets --> |
| |
| </head> |
| |
| <body class="layout--single"> |
| |
| <!--[if lt IE 9]> |
| <div class="notice--danger align-center" style="margin: 0;">You are using an <strong>outdated</strong> browser. Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your experience.</div> |
| <![endif]--> |
| <div class="masthead" onmouseleave="$('#childrenShow').css('display', 'none')"> |
| <div class="masthead__inner-wrap"> |
| <div class="masthead__menu"> |
| <nav id="site-nav" class="greedy-nav"> |
| |
| <a class="site-title active" href="/cn"><img src="https://www.apache.org/img/servicecomb.png"></a> |
| |
| <ul class="visible-links"> |
| |
| |
| |
| |
| |
| <li class="masthead__menu-item" onmouseenter="$('#childrenShow').css('display', 'none')"> |
| |
| <a href="/cn/">首页</a> |
| |
| </li> |
| |
| |
| |
| |
| |
| |
| <li class="masthead__menu-item" onmouseenter="$('#childrenShow').css('display', 'none')"> |
| |
| <a href="/cn/developers/">项目</a> |
| |
| </li> |
| |
| |
| |
| |
| |
| |
| <li class="def-nav-li" onmouseenter="$('#childrenShow').css('display', 'block')"> |
| |
| |
| |
| |
| |
| <a class="active" href="/cn/docs/users/">文档</a> |
| |
| |
| <ul id="childrenShow" class="def-children-show-cn" onmouseleave="$('#childrenShow').css('display', 'none')"> |
| |
| <li><a href="/cn/docs/getting-started/" class="">入门指南</a></li> |
| |
| <li><a href="/cn/docs/users/" class="">用户手册</a></li> |
| |
| <li><a href="/cn/slides/" class="">大咖视频</a></li> |
| |
| <li><a href="/cn/faqs/" class="">常见问题</a></li> |
| |
| </ul> |
| </li> |
| |
| |
| |
| |
| |
| |
| <li class="masthead__menu-item" onmouseenter="$('#childrenShow').css('display', 'none')"> |
| |
| <a href="/cn/developers/contributing/">社区</a> |
| |
| </li> |
| |
| |
| |
| |
| |
| |
| <li class="masthead__menu-item" onmouseenter="$('#childrenShow').css('display', 'none')"> |
| |
| <a href="/cn/year-archive/">博文</a> |
| |
| </li> |
| |
| |
| |
| |
| |
| |
| <li class="masthead__menu-item" onmouseenter="$('#childrenShow').css('display', 'none')"> |
| |
| <a href="/cn/release/">下载</a> |
| |
| </li> |
| |
| |
| </ul> |
| <button><div class="navicon"></div></button> |
| <ul class="hidden-links hidden"></ul> |
| <div class="nav-lang"> |
| |
| |
| |
| <a href=/docs/users/use-tls/>English</a> |
| |
| </div> |
| </nav> |
| </div> |
| </div> |
| </div> |
| |
| |
| |
| |
| |
| |
| <div id="main" role="main"> |
| |
| <div class="sidebar sticky"> |
| |
| <div class="back-to-home"><a href="/cn/">首页</a> > 使用TLS通信</div> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <nav class="nav__list"> |
| |
| <input id="ac-toc" name="accordion-toc" type="checkbox" /> |
| <label for="ac-toc">切换菜单</label> |
| <ul class="nav__items"> |
| |
| <li> |
| |
| <span class="nav__sub-title">Java-chassis用户手册</span> |
| |
| |
| |
| <ul> |
| |
| |
| |
| |
| |
| |
| |
| <li><a href="/references/java-chassis/en_US/" class="">2.3.0</a></li> |
| |
| </ul> |
| |
| </li> |
| |
| <li> |
| |
| <span class="nav__sub-title">Pack用户手册</span> |
| |
| |
| |
| <ul> |
| |
| |
| |
| |
| |
| |
| |
| <li><a href="https://github.com/apache/servicecomb-pack/blob/master/docs/user_guide.md" class="">0.5.0(英文版)</a></li> |
| |
| </ul> |
| |
| </li> |
| |
| <li> |
| |
| <span class="nav__sub-title">ServiceCenter用户手册</span> |
| |
| |
| |
| <ul> |
| |
| |
| |
| |
| |
| |
| |
| <li><a href="https://service-center.readthedocs.io/en/latest/user-guides.html" class="">2.0.0(英文版)</a></li> |
| |
| </ul> |
| |
| </li> |
| |
| <li> |
| |
| <span class="nav__sub-title">Kie 用户手册</span> |
| |
| |
| |
| <ul> |
| |
| |
| |
| |
| |
| |
| |
| <li><a href="https://kie.readthedocs.io/en/latest/" class="">0.2.0(英文版)</a></li> |
| |
| </ul> |
| |
| </li> |
| |
| <li> |
| |
| <span class="nav__sub-title">Mesher 用户手册</span> |
| |
| |
| |
| <ul> |
| |
| |
| |
| |
| |
| |
| |
| <li><a href="https://mesher.readthedocs.io/en/latest/" class="">1.6.3(英文版)</a></li> |
| |
| </ul> |
| |
| </li> |
| |
| </ul> |
| </nav> |
| |
| |
| |
| </div> |
| |
| |
| |
| <article class="page" itemscope itemtype="http://schema.org/CreativeWork"> |
| <meta itemprop="headline" content="使用TLS通信"> |
| <meta itemprop="description" content="使用TLS通信"> |
| |
| <meta itemprop="dateModified" content="August 15, 2017"> |
| |
| <div class="page__inner-wrap"> |
| |
| |
| <header> |
| <h1 class="page__title" itemprop="headline">使用TLS通信 |
| </h1> |
| |
| </header> |
| |
| |
| |
| <section class="page__content" itemprop="text"> |
| <h2 id="场景描述">场景描述</h2> |
| |
| <p>用户通过简单的配置即可启用TLS通信,以保障数据的传输安全。</p> |
| |
| <h2 id="外部服务通信配置">外部服务通信配置</h2> |
| |
| <p>与外部服务通信相关的配置写在microservice.yaml文件中。</p> |
| |
| <ul> |
| <li> |
| <p>服务中心TLS通信配置 |
| 微服务与服务中心的连接可以通过将http改为https启用TLS通信,配置示例如下:</p> |
| |
| <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="na">servicecomb</span><span class="pi">:</span> |
| <span class="na">service</span><span class="pi">:</span> |
| <span class="na">registry</span><span class="pi">:</span> |
| <span class="na">address</span><span class="pi">:</span> <span class="s">https://127.0.0.1:30100</span> |
| </code></pre></div> </div> |
| </li> |
| <li> |
| <p>服务提供者启用TLS通信 |
| 服务提供者在配置服务监听地址时,可以通过在地址后面追加<code class="language-plaintext highlighter-rouge">?sslEnabled=true</code>开启TLS通信,示例如下:</p> |
| |
| <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="na">servicecomb</span><span class="pi">:</span> |
| <span class="na">rest</span><span class="pi">:</span> |
| <span class="na">address</span><span class="pi">:</span> <span class="s">0.0.0.0:8080?sslEnabled=true</span> |
| <span class="na">highway</span><span class="pi">:</span> |
| <span class="na">address</span><span class="pi">:</span> <span class="s">0.0.0.0:7070?sslEnabled=true</span> |
| </code></pre></div> </div> |
| </li> |
| </ul> |
| |
| <h2 id="证书配置">证书配置</h2> |
| |
| <p>证书配置项写在microservice.yaml文件中,支持统一制定证书,也可以添加tag进行更细粒度的配置,有tag的配置会覆盖全局配置,配置格式如下:</p> |
| |
| <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="s">ssl.[tag].[property]</span> |
| </code></pre></div></div> |
| |
| <p>证书配置项见下表证书配置项说明表。</p> |
| |
| <p><strong>表1 证书配置项说明表</strong></p> |
| |
| <table> |
| <thead> |
| <tr> |
| <th style="text-align: left">配置项</th> |
| <th style="text-align: left">默认值</th> |
| <th style="text-align: left">取值范围</th> |
| <th style="text-align: left">是否必选</th> |
| <th style="text-align: left">含义</th> |
| <th style="text-align: left">注意</th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td style="text-align: left">ssl.protocols</td> |
| <td style="text-align: left">TLSv1.2</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">协议列表</td> |
| <td style="text-align: left">使用逗号分隔</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">ssl.ciphers</td> |
| <td style="text-align: left">TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,<br />TLS_RSA_WITH_AES_256_GCM_SHA384,<br />TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,<br />TLS_RSA_WITH_AES_128_GCM_SHA256</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">算法列表</td> |
| <td style="text-align: left">使用逗号分隔</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">ssl.authPeer</td> |
| <td style="text-align: left">true</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">是否认证对端</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">ssl.checkCN.host</td> |
| <td style="text-align: left">true</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">是否对证书的CN进行检查</td> |
| <td style="text-align: left">该配置项只对Consumer端,并且使用http协议有效,即Consumer端使用rest通道有效。对于Provider端、highway通道等无效。检查CN的目的是防止服务器被钓鱼,参考标准定义:<a href="https://tools.ietf.org/html/rfc2818。">https://tools.ietf.org/html/rfc2818。</a></td> |
| </tr> |
| <tr> |
| <td style="text-align: left">ssl.trustStore</td> |
| <td style="text-align: left">trust.jks</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">信任证书文件</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">ssl.trustStoreType</td> |
| <td style="text-align: left">JKS</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">信任证书类型</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">ssl.trustStoreValue</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">信任证书密码</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">ssl.keyStore</td> |
| <td style="text-align: left">server.p12</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">身份证书文件</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">ssl.keyStoreType</td> |
| <td style="text-align: left">PKCS12</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">身份证书类型</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">ssl.keyStoreValue</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">身份证书密码</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">ssl.crl</td> |
| <td style="text-align: left">revoke.crl</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">吊销证书文件</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">ssl.sslCustomClass</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">org.apache.servicecomb.foundation.ssl.SSLCustom的实现类</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">SSLCustom类的实现,用于开发者转换密码、文件路径等。</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| </tbody> |
| </table> |
| |
| <blockquote> |
| <p><strong>说明</strong>:</p> |
| |
| <ul> |
| <li>默认的协议算法是高强度加密算法,JDK需要安装对应的策略文件,参考:<a href="http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html">http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html</a>。 您可以在配置文件配置使用非高强度算法。</li> |
| <li>微服务消费者,可以针对不同的提供者指定证书(当前证书是按照HOST签发的,不同的提供者都使用一份证书存储介质,这份介质同时给微服务访问服务中心和配置中心使用)。</li> |
| </ul> |
| </blockquote> |
| |
| <h2 id="服务中心的证书配置">服务中心的证书配置</h2> |
| |
| <p>目前支持使用环境变量来配置服务中心的TLS认证方式,默认开启TLS通信,双向认证模式,认证对端时同时校验对端是否匹配证书(CommonName)字段。服务管理中心的证书配置项说明见下表服务中心TLS证书配置项说明。</p> |
| |
| <p><strong>表2 服务中心TLS证书配置项说明</strong></p> |
| |
| <table> |
| <thead> |
| <tr> |
| <th style="text-align: left">配置项</th> |
| <th style="text-align: left">默认值</th> |
| <th style="text-align: left">取值范围</th> |
| <th style="text-align: left">是否必选</th> |
| <th style="text-align: left">含义</th> |
| <th style="text-align: left">注意</th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td style="text-align: left">CSE_SSL_MODE</td> |
| <td style="text-align: left">1</td> |
| <td style="text-align: left">1/0<br />0:HTTPS<br />1:HTTP</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">设置协议模式</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">CSE_SSL_VERIFY_CLIENT</td> |
| <td style="text-align: left">1</td> |
| <td style="text-align: left">1/0<br />0:HTTPS<br />1:HTTP</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">设置HTTPS模式下是否认证对端</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">CSE_SSL_PASSPHASE</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">设置HTTPS模式下的证书密钥访问密码</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| </tbody> |
| </table> |
| |
| <p>服务管理中心配置文件为$APP_ROOT/conf/app.conf,配置项见,该配置暂不支持环境变量方式设置。</p> |
| |
| <p>表3 服务中心配置文件</p> |
| |
| <table> |
| <thead> |
| <tr> |
| <th style="text-align: left">配置项</th> |
| <th style="text-align: left">默认值</th> |
| <th style="text-align: left">取值范围</th> |
| <th style="text-align: left">是否必选</th> |
| <th style="text-align: left">含义</th> |
| <th style="text-align: left">注意</th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td style="text-align: left">ssl_protocols</td> |
| <td style="text-align: left">TLSv1.2</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">通信使用的SSL版本</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">ssl_ciphers</td> |
| <td style="text-align: left">TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,<br />TLS_RSA_WITH_AES_256_GCM_SHA384,<br />TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,<br />TLS_RSA_WITH_AES_128_GCM_SHA256,<br />TLS_RSA_WITH_AES_128_CBC_SHA</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">否</td> |
| <td style="text-align: left">配置使用算法列表</td> |
| <td style="text-align: left">由于服务中心支持HTTP/2协议,所以ssl_ciphers必须配置有TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256算法。TLS_RSA_WITH_AES_128_GCM_SHA256、TLS_RSA_WITH_AES_128_CBC_SHA被列为HTTP/2协议的不安全算法黑名单,但为了客户端算法兼容性,存在时必须配置到最后一位。</td> |
| </tr> |
| </tbody> |
| </table> |
| |
| <h2 id="密钥物料及证书存放路径">密钥物料及证书存放路径</h2> |
| |
| <p><strong>表4 密钥物料及证书存放路径</strong></p> |
| |
| <table> |
| <thead> |
| <tr> |
| <th style="text-align: left">配置项</th> |
| <th style="text-align: left">含义</th> |
| <th style="text-align: left">对应环境变量</th> |
| <th style="text-align: left">注意</th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td style="text-align: left">/</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">/opt</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">/opt/CSE</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">INSTALL_ROOT</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">/opt/CSE/etc</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">/opt/CSE/etc/cipher</td> |
| <td style="text-align: left">密钥物料存放目录</td> |
| <td style="text-align: left">CIPHER_ROOT</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">/opt/CSE/etc/ssl</td> |
| <td style="text-align: left">证书存放目录</td> |
| <td style="text-align: left">SSL_ROOT</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">/opt/CSE/etc/ssl/trust.cer</td> |
| <td style="text-align: left">授信CA</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">/opt/CSE/etc/ssl/server_key.pem</td> |
| <td style="text-align: left">已加密服务端私钥文件</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">/opt/CSE/etc/ssl/server.cer</td> |
| <td style="text-align: left">服务器证书</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">/opt/CSE/etc/ssl/cert_pwd</td> |
| <td style="text-align: left">用于存放解密私钥的对称加密密文文件</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">/opt/CSE/apps</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">/opt/CSE/apps/ServiceCenter</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">APP_ROOT</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">/opt/CSE/apps/ServiceCenter/conf</td> |
| <td style="text-align: left">服务管理中心配置文件目录</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| <tr> |
| <td style="text-align: left">/opt/CSE/apps/ServiceCenter/conf/app.conf</td> |
| <td style="text-align: left">应用配置文件</td> |
| <td style="text-align: left">-</td> |
| <td style="text-align: left">-</td> |
| </tr> |
| </tbody> |
| </table> |
| |
| <h2 id="示例代码">示例代码</h2> |
| |
| <p>microservice.yaml文件中启用TLS通信的配置示例如下:</p> |
| <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">servicecomb</span><span class="pi">:</span> |
| <span class="na">service</span><span class="pi">:</span> |
| <span class="na">registry</span><span class="pi">:</span> |
| <span class="na">address</span><span class="pi">:</span> <span class="s">https://127.0.0.1:30100</span> |
| <span class="na">rest</span><span class="pi">:</span> |
| <span class="na">address</span><span class="pi">:</span> <span class="s">0.0.0.0:8080?sslEnabled=true</span> |
| <span class="na">highway</span><span class="pi">:</span> |
| <span class="na">address</span><span class="pi">:</span> <span class="s">0.0.0.0:7070?sslEnabled=true</span> |
| |
| <span class="c1">#########SSL options</span> |
| <span class="s">ssl.protocols</span><span class="pi">:</span> <span class="s">TLSv1.2</span> |
| <span class="s">ssl.authPeer</span><span class="pi">:</span> <span class="no">true</span> |
| <span class="s">ssl.checkCN.host</span><span class="pi">:</span> <span class="no">true</span> |
| |
| <span class="c1">#########certificates config</span> |
| <span class="s">ssl.trustStore</span><span class="pi">:</span> <span class="s">trust.jks</span> |
| <span class="s">ssl.trustStoreType</span><span class="pi">:</span> <span class="s">JKS</span> |
| <span class="s">ssl.trustStoreValue</span><span class="pi">:</span> <span class="s">Changeme_123</span> |
| <span class="s">ssl.keyStore</span><span class="pi">:</span> <span class="s">server.p12</span> |
| <span class="s">ssl.keyStoreType</span><span class="pi">:</span> <span class="s">PKCS12</span> |
| <span class="s">ssl.keyStoreValue</span><span class="pi">:</span> <span class="s">Changeme_123</span> |
| <span class="s">ssl.crl</span><span class="pi">:</span> <span class="s">revoke.crl</span> |
| <span class="s">ssl.sslCustomClass</span><span class="pi">:</span> <span class="s">org.apache.servicecomb.demo.DemoSSLCustom</span> |
| </code></pre></div></div> |
| |
| |
| </section> |
| |
| <footer class="page__meta"> |
| |
| |
| |
| |
| |
| </footer> |
| |
| |
| |
| |
| |
| </div> |
| |
| |
| </article> |
| |
| |
| |
| </div> |
| |
| |
| <script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> |
| <div align="center" style="margin: 0 0;"> |
| <ins class="adsbygoogle" |
| style="display:block; border-bottom: initial;" |
| data-ad-client="ca-pub-7328585512091257" |
| data-ad-slot="3049671934" |
| data-ad-format="auto"></ins> |
| </div> |
| |
| <div class="page__footer"> |
| <footer> |
| <!-- start custom footer snippets --> |
| |
| <!-- end custom footer snippets --> |
| |
| <div class="container"> |
| <div class="row justify-content-md-center"> |
| |
| <div class="col"> |
| <ul> |
| <p class="header">资源</p> |
| <li><a href="/cn/docs/getting-started/">入门指南</a></li> |
| <li><a href="/cn/docs/users/">用户指南</a></li> |
| <li><a href="/cn/slides/">资料</a></li> |
| <li><a href="/cn/users/faq/">常见问题</a></li> |
| </ul> |
| </div> |
| <div class="col"> |
| <ul> |
| <p class="header">ASF</p> |
| <li><a href="http://www.apache.org">基金会</a></li> |
| <li><a href="http://www.apache.org/licenses/">许可证</a></li> |
| <li><a href="http://www.apache.org/events/current-event">活动</a></li> |
| <li><a href="http://www.apache.org/foundation/sponsorship.html">赞助</a></li> |
| <li><a href="http://www.apache.org/foundation/thanks.html">鸣谢</a></li> |
| </ul> |
| </div> |
| <div class="col"> |
| <ul> |
| <p class="header">贡献</p> |
| <li><a href="http://issues.apache.org/jira/browse/SCB">报告本网页问题</a></li> |
| <li><a href="https://github.com/apache/servicecomb-website/edit/master/_users/cn/use-tls.md">在Github上编辑此页</a></li> |
| <li><a href="/cn/developers/submit-codes/">代码提交指南</a></li> |
| <li><a href="/cn/security">安全</a></li> |
| </ul> |
| </div> |
| <div class="col"> |
| <ul class="social-icons"> |
| <p class="header">社区</p> |
| <li> |
| <a href="mailto:dev-subscribe@servicecomb.incubator.apache.org" rel="nofollow"><span class="mail">邮件列表</span></a> |
| </li> |
| <li> |
| <a href="https://github.com/apache?q=ServiceComb" target="_blank"><span class="github">Github</span></a> |
| </li> |
| <li> |
| <a href="https://twitter.com/ServiceComb" target="_blank"><span class="twitter">Twitter</span></a> |
| </li> |
| <li> |
| <a href="/feed.xml" target="_blank"><span class="rss">Feed</span></a> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| <div class="page__footer-bottom"> |
| <div>© 2021 Apache ServiceComb. 技术来自于 <a href="http://jekyllrb.com" rel="nofollow">Jekyll</a> & <a href="https://mademistakes.com/work/minimal-mistakes-jekyll-theme/" rel="nofollow">Minimal Mistakes</a>.</div> |
| <div>All other marks mentioned may be trademarks or registered trademarks of their respective owners.</div> |
| </div> |
| |
| </footer> |
| </div> |
| |
| <script src="/assets/js/main.min.js"></script> |
| |
| |
| |
| |
| <script> |
| (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ |
| (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), |
| m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) |
| })(window,document,'script','https://www.google-analytics.com/analytics.js','ga'); |
| |
| ga('create', 'UA-101622733-1', 'auto'); |
| ga('send', 'pageview'); |
| </script> |
| |
| |
| |
| |
| |
| |
| |
| </body> |
| </html> |